From ffd7040a6dcfda59a6768fbe481aba332133e83a Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 8 Nov 2016 09:05:12 +0200 Subject: [PATCH] Include local CA in haproxy PEM In order for the browser to trust the certificate served by HAProxy we need to include the CA cert in the PEM file that the endpoints serve. Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417 Closes-Bug: #1639807 --- manifests/certmonger/haproxy.pp | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 504acf3a7..3b8fd09b9 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -36,6 +36,10 @@ # The post-save-command that certmonger will use once it renews the # certificate. # +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -45,7 +49,8 @@ define tripleo::certmonger::haproxy ( $service_key, $hostname, $postsave_cmd, - $principal = undef, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, ){ include ::haproxy::params certmonger_certificate { "${title}-cert": @@ -69,10 +74,21 @@ define tripleo::certmonger::haproxy ( order => '01', require => Certmonger_certificate["${title}-cert"], } + + if $certmonger_ca == 'local' { + $ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem') + concat::fragment { "${title}-ca-fragment": + target => $service_pem, + source => $ca_pem, + order => '10', + require => Class['tripleo::certmonger::ca::local'], + } + } + concat::fragment { "${title}-key-fragment": target => $service_pem, source => $service_key, - order => 10, + order => 20, require => Certmonger_certificate["${title}-cert"], } }